Security awareness, security breaches, and the abuse of "stupid"

Computer security is not created, nor is it improved, by calling people stupid. That's the conclusion I have arrived at after more than two decades in computer security and auditing. To put it another way, we should stop dropping the "S" bomb, especially when it comes to people who don't know any better.

Consider the phenomenon of people posting photos of credit cards on Facebook, a sort of self-inflicted security breach. Your first reaction might be "Is that stupid or what?"

In my opinion the "or what?" is a fair question, one that I thought about this President's Day, a day when a lot of credit cards in America get a good workout (with the notable exception of the one in this picture).

Note that what you're seeing is a doctored version of what actually appeared on Facebook, where the details on the front of the credit card were clearly visible. These have been masked in this screenshot, along with other identifying information (I have tried to find out who produced the above image in order to give them credit, as it were, but so far I've not succeeded).

Also note that the person who posted the pic does not seem to be the card owner, so it's not a case of "stupid kid posts photo of his first credit card" which is how some bloggers described it (although I am sure there are cases of that kind as well). No, this is just a case of a person, possibly a parent, being proud of that "first credit card" moment, and wanting to share it with friends and family. This person was probably in the same state of mind as many other Facebook users who:

A. Think of Facebook as a place to share things with a few select friends, but have not adjusted their "share" settings accordingly, and;

B. Under-estimate the number of people who are willing to take advantage of their fellow human beings.

In other words "they don't know any better" and possibly lack the kind of life experiences that make other people think twice about putting a photo like that online. Now, I don't know what percentage of Facebook's 800+ million users are currently A+B positive, so to speak, but they represent a rich vein of potentially exploitable persons. Fraudsters and scam artists are keen to mine that vein, as evidenced by the constant appearance of new deceptions documented by websites like Facecrooks.

What should really be of concern to companies, and society at large, is that these A+B folks are not just a target on Facebook. Criminals are targeting users who lack security awareness across a wide range of information systems. They are crafting attacks that rely on exploiting digital device users who have little or no security training.

So the next time you hear infosec professionals bemoaning the stupidity of users you need to ask: "Are they stupid because they are ignoring the security training they received, or are they doing stupid things because we have failed, as an organization, and as a society, to teach them to know better?"

Are these people really that naiive? Really? The vast majority of the stuff I have seen is not a matter of security awareness but of common sense. And if they have ever watched a newscast, they would have been exposed to the fact that people love to exploit others. Profitting from another's loss is what Wall Street is all about. So are casinos. And politics. And there are constant reminders both online and off that whatever makes it on the web is there for everyone forever, no matter what your "share" settings are. Someone will eventually compromise the site and what you thought was private is now public, possibly in a very big way.

I need to talk to someone about fraud. Someone tapped into a friends facebook and was pretending to be her to obtain private financial information.

can someone please call me [numbers removed to protect the privacy of the commenter] Thanks

Although the article does give one pause to re-think thoughts / conclusions one tends to jump to, I do feel that:
1) We cannot say we have failed to teach them to know better, for in my experiences, with me and my teenagers, one can lead a horse to water … one, at times, would love to go back to the candy or the stick as it was in the old days.
2) Ignorance cannot be held as an excuse either anymore, at least, we are very close to that point.
3) Ignorance can however be written off as a learning experience if one takes into consideration how many of the 800mil on FB has seen, heard, experienced, warned by friends and family, read articles and warnings, signed papers, electronically signed waivers , (as Bruce Epper mentioned above), about the risks involved in todayâ€™s electronic life, which comes back to lead a horse to water and entice it to drink or else â€¦ and we are not allowed to do that at all.

Bottom line, learn quickly or be prepared to accept that you where stupid and take what comes your way.

Ps. If you have done all you can, and you still got robbed, make sure you learn how it was done and factor it in next time. and then share it with the rest of us so we can learn.